HalluSquatting: How AI's Hallucinations Could Fuel Massive Botnets
The researchers call it HalluSquatting — short for adversarial hallucination squatting — and the reason it matters is that it flips the usual attacker script. Instead of pushing poisoned prompts at one model at a time, attackers sit back and let LLMs come to them. The trick works because language models, given a new enough package, URL, or repository, will confidently invent a plausible-looking identifier that doesn't exist. Register that identifier first, and the next AI agent that "looks it up" walks straight into your trap. It's a clever piece of research from Tel Aviv University, Technion, and Intuit, and it has a real claim on the title of "new attack class" — not just a wrinkle on prompt injection. That's worth a careful read before any defensiveness kicks in.
What the attack actually does
The paper describes a pull-based supply-chain attack. Coding agents — the kind embedded in tools like GitHub Copilot and Gemini CLI — routinely fetch dependencies, install packages, and read files at the model's direction. When the model hallucinates a resource identifier, it picks a name that looks statistically right for the codebase but maps to nothing registered. An attacker who predicted that hallucination and registered the name first now owns the next response from any agent that asks for it.
The payload is whatever the attacker put there. Reverse shells are the worked example in the source coverage. The endpoint, once executed, can be folded into a botnet, rented out for DDoS or crypto mining, or weaponized into scalable ransomware distribution. None of those are theoretical endpoints; they're the listed outcomes of the attack succeeding.
Why this is different from prompt injection
Most LLM attacks are push-based: a malicious string gets fed to the model, the model misbehaves. They're noisy, one-shot, and depend on the attacker finding the right input channel. HalluSquatting is pull-based. The model comes to the attacker. That inversion is the whole contribution, and it's why the same trick can hit a fleet of agents instead of one.

There's a second lever. The researchers found that LLMs hallucinate far more aggressively on newer resources — the kind of brand-new packages and freshly-registered URLs that an LLM has the least training signal on. Newer means more speculative, and more speculative means more predictable to an attacker willing to bulk-register names. The attack doesn't need to be subtle. It needs to be first.
11 production screens. Login, database, payments — all wired.
The SaaS Dashboard Kit ships everything already connected. Nothing to set up. Live demo at saas.otf-kit.dev.
The real risk surface
A single hallucination, retrieved by a single agent, in a single dev container, looks harmless. Multiply it. Every developer with an AI coding assistant in their editor is, in principle, a potential patient zero, because the agent acts on the developer's behalf, with the developer's credentials, in the developer's network. Once the reverse shell fires, the attacker's blast radius is whatever that developer can reach — source repos, CI runners, package registries, internal services.
This is where the threat stops being abstract for anyone shipping software in 2026. The article calls out GitHub Copilot and Gemini CLI by name. The researchers' framing is general: any coding agent that pulls from external resources on the user's authority is in scope. The reach of the attack is essentially the reach of agentic coding itself.

How to keep using AI assistants without becoming patient zero
The research is light on defense and the authors frame HalluSquatting as a new class still being mapped. That doesn't mean the answer is to stop using AI coding tools — they're load-bearing in modern workflows. The answer is to make hallucinated lookups less catastrophic when they happen. Four concrete moves, in order of effort:
1. Pin everything, then verify what the agent unpins. Coding agents like to "upgrade" dependencies to whatever the model thinks is current. That's exactly the path that opens a hallucination window. Lock dependency versions in your manifest, run a hash check after every agent-driven install, and reject any package version that wasn't on your allowlist before the agent touched the build.
# After an agent-driven install, audit the lockfile
npm audit signatures --production
# or, for Python
pip install --require-hashes -r requirements.txt2. Sandbox the agent's network egress. Most coding agents run with whatever network access the developer's shell has, which is to say: everything. An agent that can fetch arbitrary URLs can be steered to a squatted package. Run the agent inside a sandbox — a dev container, a VM, a hardened CI runner — with an allowlist of registries it can reach. Anything else is a hard block.
// Container-level egress, deny-by-default with explicit allowlist
const allowedRegistries = [
"registry.npmjs.org",
"pypi.org",
"github.com",
// add the registries YOU trust; nothing else resolves
];3. Diff the agent's actions, not just its output. A hallucinated URL only matters if something acts on it. Most editor integrations log the agent's tool calls — file writes, shell commands, network requests. Treat that log like a security log. A package install the developer didn't ask for is a finding, not a feature.
4. Treat brand-new package names as guilty until proven innocent. The researchers' strongest signal is that hallucinations spike on newer resources. If an agent wants to install a package that was published last week, that's the moment to manually verify the maintainer, the repo, and the source before letting it land.
These four aren't new — they've been standard practice in security-conscious shops for years. The contribution of HalluSquatting is to retire the assumption that the "internal dev environment" is a low-value target. With an AI agent in the loop, it isn't. It's a foothold with the developer's keys, the company's network, and the agent's willingness to run whatever the model points it at.
The part underneath the model churn
Here's the angle worth naming. The HalluSquatting paper works because the agent is making a chain of choices on the developer's behalf: which package, which URL, which platform-specific binding, which CDN. Each of those choices is a place a hallucination can land, and each landing is a chance for an attacker to intercept.
The durable way to shrink that surface is to reduce the number of choices the agent has to make in the first place. A cross-platform component that renders the same on web, iOS, and Android from a single source means the agent isn't deciding between three platform-specific packages — it's importing one. A styling system with one canonical token set means the agent isn't fetching a fresh theme on every project. A typed config that validates the registry the agent can reach means the agent doesn't have to guess.
None of this makes HalluSquatting go away. The attack lives in the model's tendency to invent, and that tendency is a property of the model class, not the project. What a tighter cross-platform surface does is shrink the number of moments where the model's invention is load-bearing. The agent still hallucinates; it just hallucinates into a smaller blast radius. Lock the durable layer, validate the rest, and the next clever attack class is a research paper to read on a Thursday — not an incident channel at 2 a.m.
Ship the product, not the setup.
- 11 production screens — auth, billing, team, analytics, settings
- Real database, payments, and login — all wired on day 1
- AI configs pre-tuned so your agent extends instead of regenerates